Thursday, June 2, 2016

The End, and The Beginning

CYBR650 Week 12

What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.  - T. S. Eliot

Focus on the journey, not the destination. Joy is found not in finishing an activity but in doing it.  - Greg Anderson

Beginnings and endings.  As T. S. Eliot implied, they are often easily inverted.  This is clearly an ending for me.  One more item to check off my bucket list, completion of a Master’s Degree.  But, also a beginning.  I’m not sure what this is the beginning of, so, it’s with a sense of anticipation that I look to the future, with a sense of serendipity. 

So what have I learned in these final courses for the completion of my MS in Cybersecurity?  First, I’m humbled by the eternal lesson of learning what I don’t know.  Every lesson showed me one more time that there is so much more to know, knowledge that will only come with practice.  And with each question answered, the humbling realization that I now have more questions. 

But on a more practical note, I feel prepared to take on new challenges.  I’ve also gained confidence to learn those new lessons, and to step into challenges I wouldn’t have had the courage to attempt.  I know they won’t all be successes, but some of the best lessons are tempered in failure. 

At moments like this I often think of my father.  He was a scholar in the true sense of the word.  Always curious, always asking and always seeking a better understanding of the world around him.  He loved history.  I’m liking it more and more, but my passion is technology.  However, I would say technology in the realm of relationships.  Technology provides the puzzles that need to be solved, people make the search for the answer interesting.  We often talk about the human factor as the great variable in cybersecurity.  It takes the work from being a technical solution to one more art than science.  I know my father would find my work and my understanding of life in this context something worth discussing.

And I know my father would appreciate that I embraced the challenge and saw it through.  I encourage anyone who reads this to challenge yourself.  It may not be a degree in cybersecurity, but find your passion and begin the journey.  Bellevue University is a great place to pursue a degree, well designed with enthusiastic staff who sincerely work to help you find your success.  But if your passion is something else, pursue it, embrace it, follow it, grow through it.   Reach outside yourself, step out of your comfort zone.  It will be an exciting journey, a beginning, and an end, all at the same time.

Monday, May 23, 2016

The Advantages of Women in Technology

CYBR650 - Week 10


"When you put the helmet on, it doesn't matter if you are woman or man: your mission is to compete to win.  The important thing is your ability, your intelligence and your determination." 
Milka Duno, race car driver

“Recognize and embrace your uniqueness.  I don’t think the ratios are going to change anytime soon.  But I don’t think it has to be a disadvantage.  Being a black woman, being a woman in general, on a team of all men, means that you are going to have a unique voice.  It’s important to embrace that.”
 Erin Teague, Yahoo director of Product Management

While 57 percent of occupations in the workforce are held by women, in computing occupations that figure is only 25 percent.  This disparity is apparently getting worse, as fewer women are graduating from college with computer science degrees than there were in the 1980’s.  What is the impact of fewer women in technology jobs? 
Women are needed in technology fields

Current research indicates gender diversity has many benefits.  Diverse teams –not all male or all female -- tend to be more productive and have better team dynamics.  Interestingly, technology work teams stay on schedule and under budget when they are gender diverse.  These teams are more likely to experiment, are more likely to share knowledge and to complete tasks.  On the organizational level, when diversity is actively encouraged and facilitated in the workplace, it’s beneficial, but if ignored, there are more communication issues and weaker cohesion in work teams.

Time magazine reported that the gender gap in cybersecurity makes everyone less safe.  This is partly driven by the fact that there are fewer people available to work in cybersecurity when only half of the population are seeking jobs in the field.  Women only comprise 10 percent of the information security workforce.  Another significant factor is that security solutions aren’t developed with half the population in mind.  Since women experience the world differently, they also come up with different solutions to security issues.  In general, women are more sensitive to privacy issues than men, most likely because they are more affected by attacks on privacy.  One factor in this disparity could be due to the military and industrial roots of the field.  Terminology such as 'cyberwar' tend to discourage women from being interested. 

So what can be done to improve the situation?  Time suggests cybersecurity job postings should emphasize communal, mission oriented, human-centered impact, instead of corporate mission and defense.  But women need to be interested and trained long before the job posting.  Audrey MacLean, former CEO and financier for numerous successful tech start-ups, says the key is to interest girls in computing in grade school, with games that don’t involve violence, but offer challenges they find interesting.  My own experience with a daughter who became an industrial engineer, is that she found the teamwork, problem solving and product development interesting during college and loves the data analysis work she’s doing now.  But what peaked her interest in middle school, was a Disney website that discussed careers for their amusement parks. 

Whatever the solution, it may be too late for the technology demands in the next 10 to 15 years.  The tech sector is already short on college graduates who can fill IT jobs.  

Sunday, May 15, 2016

Watson Applies Machine Learning to Cybersecurity

CYBR650 - Week 9

By learning you will teach, by teaching you will learn. – Latin Proverb

I'm working on artificial intelligence. Actually, natural language understanding, which is to get computers to understand the meaning of documents. -- Ray Kurzweil, computer scientist and futurist

IBM announced earlier this week that they were beginning a new year-long cybersecurity initiative with eight North American Universities.  These universities all have strong cybersecurity programs.  The university students will be working to train and then analyze security data for trends using IBM’s Watson technology platform
http://www.wallpaperhd.pk/machine-learning-smart-brain-wallpaper/

IBM’s Watson is a cognitive computing system and former Jeopardy champion.  Watson uses machine learning to extrapolate patterns from large data sets.  The process is to allow the computer to learn from unstructured data, then to make predictions based on its programming, then repeat the process.  This produces reliable, repeatable results.  It’s very similar to artificial intelligence.  Machine learning uses large amounts of unstructured data (in this case, on a specific topic) and makes predictions, tests them against the data and then modifies the algorithm and repeats the “learning” process again.  As new data is added, the system adjusts.  This is one of the methods Google used to program its self-driving car.  The Google car used machine learning to understand how other vehicles behave on the road with 70,000 miles of driving data.  Recording how other drivers and different types of vehicles respond to slow vehicles, obstructions in the road and other situations.  The car learns from others and from its own actions and constantly adjusts the rules that it uses to drive.  The more the car drives in an area, the better it does.

In the case of Watson’s cybersecurity machine learning, the students will train Watson by feeding large amounts of security reports, and other unstructured data.  This includes IBM’s X-Force research library which contains 100,000 documented vulnerabilities.  Watson uses natural language processing to read blog posts, news reports and other information.  The expectation is that Watson for Cybersecurity will reveal emerging threats and how to deal with them.

The project won’t start until fall of this year, so we don’t know if this will revolutionize cybersecurity, but IBM believes this will strengthen the case for Watson’s cognitive computing as a serious business platform.  It may also help with the skills gap of training new cyber professionals.  

Saturday, May 7, 2016

Security Trends by Generation

Cyber650 Week 8

Age is a high price to pay for maturity.  Tom Stoppard

Each generation imagines itself to be more intelligent than the one that went before it, and wiser than the one that comes after it.   George Orwell

One of those things that I’ve been wondering about lately is the differences in the generations,
demographic groups of people who share common characteristics. The chart gives one breakdown of the currently accepted generation titles and age ranges.  It isn’t news to anyone, that young and old view the Internet differently.  But if we look behind the curtain, there are some interesting differences in how people of different generations view security, online safety and their willingness to buy stuff online. 

I recently stumbled across an online report by a commercial VPN provider who offers a application based service to protect privacy, increase security and hide your location from others on the Internet.  The report, called The Dangers of Our Digital Lives, discusses the apparent disconnect between our attitudes and actions regarding online security.  I would expect that older people would be less trusting and therefore more cautious online.  On the other end of the spectrum, young people would care less about privacy, since they’ve grown up sharing too much information (at least in my opinion) on social media sites.  Of course, the report is biased toward getting people to use their service, but some interesting details come out.  I’ll summarize a few I found interesting here.

- The most secure are those who’ve experienced a security problem.  They improve their security posture by using two-factor authentication, password managers (and probably stronger passwords) and security layers (encryption, two-factor authentication, anonymizers and VPN’s). 

- Two thirds said they want extra layers of security, but very few actually use the tools that are available. 

- Two thirds shred their personal documents, but many post email addresses, home addresses and phone numbers online.

- Sixty percent post inaccurate information on social media as a safety precaution.

So how does age fit into this data?  Does age matter for good security decisions?  According to Kevin Murname, in his Forbes blog about boomers and privacy, baby boomers are the most likely go online daily (93%).  Murname says this is because they spent so much time using PC’s.  He points out the big names in creating the technology behind the Internet are all boomers.  They’re also least likely to use social media.  They’re the least likely to feel safe online.  Older generations like the Internet a lot less. 

So how do the first adopters of the Internet protect themselves?  They tend toward older technology protections such as encryption and anti-virus software and less likely to use two-factor authentication.  Oddly, the millennials felt more protected and reported the most security incidents. 

Just a few more statistics.  In general, most Americans have strong opinions about privacy and confidentiality.  According to a 2015 Pew Research Center report, the majority feel they should be able to maintain privacy about their personal lives.  Ninety three percent say it’s important to control who can get information about them.  Only six percent are confident the government can protect their records.

I’m at the tail end of the baby boomer generation, born in 1960, and I only partially fit demographic.  I took the online quiz that they offer to see what my security profile is and I came up “digitally enlightened.”   Most likely because I’m studying cybersecurity, I take more precautions than most to protect myself. 


What do you do to protect yourself?

Saturday, April 30, 2016

Claude Shannon

CYBR650 Week 7

“The stone age was marked by man’s clever use of crude tools; the information age, to date, has been marked by man’s crude use of clever tools.”-Author Unknown

The Information Age offers much to mankind, and I would like to think that we will rise to the challenges it presents. But it is vital to remember that information — in the sense of raw data — is not knowledge, that knowledge is not wisdom, and that wisdom is not foresight. But information is the first essential step to all of these.  Arthur C. Clarke

April 30th marks the 100th birthday of Claude Shannon, credited with being the father of the information age.  So who is this person who gets this kind of title, but was unknown to me until I saw today’s Google Doodle

Born in 1916, Shannon was a mathematician and an electrical engineer.  The most significant work that Shannon did was his master’s thesis called “A Symbolic Analysis of Relay and Switching Circuits” which described a new mathematical way to analyze and design circuits rather than the trial-and-error method of the day.  This came from his work at MIT trying to build an analog computer.  It worked, but took a week to solve a simple equation.  He discovered little known Boolean algebra and expanded on it to describe digital circuits.  His work, explained in the thesis, is the basis of all digital circuits such as microprocessors.  A chart of boolean circuits, used in all digital electronics, is displayed here. 

Some consider his paper written 8 years later, while he worked at Bell Laboratories in 1948, called “A Mathematical Theory of Communication” more important.  It presented the founding work of information theory, which studies the transmission, processing and extraction of information on a highly theoretical level.  It is the basis of cryptography, artificial intelligence complexity science and informatics.  It has more to do with probability than data.  While this theory is quite complex, its where the concept of the binary digit, or bit, was defined by Shannon which can be used to describe any information such as a song or picture.  The transistor was invented at Bell Laboratories that same year.

One really interesting aspect of his life is his design of a wearable computer he used to beat Las Vegas casinos at Blackjack with professional gambler Edward O. Thorpe.  The money they won was invested using the same theoretical basis in probability to beat the stock market, and Shannon didn’t need to work for the rest of his life.  He invented a lot of things but didn’t have any further impact on the world.  He died at age 87 suffering from severe dementia, so he never saw the results of his work that we call the Internet.

This post doesn’t specifically address anything directly related to security, but we wouldn’t be actively working in the information age and using the Internet without his work. 


Wednesday, April 27, 2016

Cyberwarfare on a Personal Level

CYBR650 Week 6

The supreme art of war is to subdue the enemy without fighting.
Sun Tzu

Ten soldiers wisely led will beat a hundred without a head.
Euripides


Cyberwarfare is Internet-based conflict involving politically motivated attacks on information and information systems. Cyberwarfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems -- among many other possibilities.

In 2009 the Secretary of Defense established the United States Cyber Command.  They have a threefold mission; Defending the Department of Defense (DoD) Information Network; support military commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to a cyberattack.  So how is the Cyber Command doing in its three fold mission seven years later? 

1.  Defend the DoD Information Network – One of the first actions the Cyber Command took was to consolidate all the IT systems from the entire DoD – three branches, four uniformed services and nine unified commands (over 7 million devices) into a single unified architecture.  Very soon, the entire military will be linked through one command-and-control structure.  They’ve modernized the equipment and streamlined operations. There are some potential weaknesses created by this, but it seems to be outweighed by centralized monitoring, easy updating and quick response to attacks.

2.  Support Military Commanders - One of the biggest advantages of the unification is being able to provide a unified response to any attack from all services and from air, land or sea.

3.  Defend our nation against a cyberattack – While not perfect, defenses are getting stronger through a series of initiatives.  The DoD experiences 41 mission scans, probes and attacks each month.  The penetrations that were detected have all been quickly dealt with.  One of the biggest weaknesses in all of the breaches has been the human factor.  And believe it or not, the Cyber Command is doing better in fixing the human factor weaknesses than most private sector companies using a concept called high reliability organization or HRO.  These are systems that can’t afford to learn from mistakes such as nuclear power plants, air traffic control systems and high-speed rail, they have to correct deviations before they become problems.

How they did it – If any of you have experience with the US military, you will recognize they got a lot of work done in 7 years.  The Cyber Command modeled its operation on the US Navy’s nuclear propulsion program which has arguably the best safety record.  The nuclear program has built a culture on six principles that limit the impact of human error.

Integrity – strongly held convictions that eliminate deliberate departures from clear protocol.  Everyone reports mistakes immediately.  The standard is set very high and there are no second chances.  Everyone is accountable and held accountable for their actions.  The result is minor problems are reported and fixed quickly.

Depth of knowledge – training is thorough and broad.  The system is fully understood, including weaknesses.  Close supervision, testing and drills are common.

Procedural compliance – operational procedures are followed to the letter.  There is an extensive inspection system including simulated emergencies.

Forceful backup – Everyone who performs a high risk action is backed up with another fully qualified person so all risky tasks are performed by two people.  Everyone is authorized to stop a process when a problem arises.

Questioning attitude – operators are trained to question any anomalies that are detected and they must be corrected.

Formal communications – Directions are clearly stated in a formal, prescribed manner and repeated back verbatim.  Small talk is discouraged.


What we can learn – What are the lessons cyber professionals can learn from Cyber Command and the nuclear program?  Pretty much every human factor that leads to a breach is a violation of at least one of the principles.  Is it possible for your organization to operate at such a high standard?  Most likely it’s not possible, but everyone can build these concepts into their daily practices.  Training goes a long way in recognizing when something isn’t right.  Document processes and then follow them.  Always have a backout plan.  Communicate clearly.  Empower everyone on the team to speak up when they aren’t sure or don’t understand.  Strong leadership is critical to build this kind of environment.  If you don’t have a leader like this that you can follow, lead from where you are by enforcing these principles on yourself and those you can influence.  Be a high reliability employee in your cyberwarfare.

Tuesday, April 19, 2016

Is Bitcoin Secure?

CYBR650 Week 5


Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do. –Steve Job

Digital currency.  Just the thing tech-savvy individuals like you and I should be both concerned and excited about.  It’s been around for 7 years now and all indications are it’s here to stay.  So, is bitcoin the currency of the future or just another way to lose money with technology?  Digital currency certainly could have security concerns.  It seems to be used for all sorts of illegal activities. But then again, real currency can be used for illegal activities.  First, let me explain how Bitcoin works.

Bitcoin is decentralized digital currency also referred to as cryptocurrency.  First, it’s digital, meaning there are no coins or paper money exchanged.  It uses public key cryptography certificates on a peer-to-peer network of bitcoin users.  It’s decentralized, meaning there is no main database of transactions and no central authority.  The transactions are stored redundantly on all the user’s computers in a blockchain ledger (distributed database), broadcast to the network.  A transaction is broadcast in a process that prevents bitcoin from being spent twice or spent in two transactions at the same time, since the transactions are recorded on all the computers in the peer-to-peer network.  Each transaction creates a hash value that is stored with the transaction.  If the hash changes, the transaction information has been changed and is not trusted.  Another blockchain ledger entry will be used to validate the data.

Bitcoins are mined by allowing a computer to process bitcoin transactions as part of the peer-to-peer network.  Anyone allowing their computer to be used for the transactions gets a small bitcoin reward for participating and the new bitcoins are added to the blockchain.  Bitcoins are stored in a bitcoin wallet, either an application on your computer or cell phone that stores your bitcoins, a web based third party that stores them for you or a hardware wallet which stores the keys on specially designed removable media.  Only the person with the private cryptokey can spend the bitcoin.  The wallet stores the private keys and a record of anyone you exchange bitcoins with without actually knowing who the other person is since you only have an address for the person.  The address doesn’t have any personal information.  The address is actually just a number.

Key Characteristics
Open Source – nobody owns or controls bitcoin.  Once it was introduced to the world, it started being used and will only cease to exist if everyone stops using it.

Efficient – There’s no third party (bank or credit card company) processing the transaction, so it’s fast and reliable. 

Inexpensive - There’s no third party (bank or credit card company) processing the transaction, so it’s very low cost.  Credit cards typically charge 2 to 4% per transaction for processing (transferring the funds from the buyer’s bank to the seller’s bank).  This is cheap because there is no bank involved, only the buyer and seller.  The transaction is stored in the blockchain.

Anonymous – transaction is recorded but the two parties are untraceable.  Anyone can see how many bitcoin are in an address, but they can’t find out who has that address.  To increase anonymity, a person can use multiple addresses for a single transaction.  There’s no record of what was bought or sold.

Secure – Bitcoin uses SHA-256 encryption for transactions and verification.  The next section outlines the security problems that bitcoin has had so far.

Security
There have been four bitcoin security breaches, but the security problems weren’t bitcoin issues, they were the same security issues any network faces.  All involved attacks on bitcoin wallets or accounts.  The first breach one was a social engineering attack that stole a password to an email address used for a bitcoin account.  The second, the Mt. Gox bankruptcy, was caused by inadequate network security in what was at one time the largest bitcoin exchange.  What wasn’t stolen by hackers was lost to poor management.  The third, Silk Road 2.0 was an attack against the darknet website’s bitcoin account.  There is speculation that it was a cover-up for corruption within the illegal site.  The fourth breach, called the Pony botnet, stole passwords to 85 personal, locally stored bitcoin wallets.  The weakness exploited was the computer system security, not a weakness in the bitcoin algorithm. 

Bitcoin appears to be here to stay.  There’s even some talk about banks and other large financial organizations using blockchain technology for transactions.  So the bottom line seems to be, bitcoin is safe, quick, cheap and reliable--as long as you protect your digital wallet.  Once again we find the importance of good security practices.


Bitcoin image courtesy of Imgur, http://imgur.com/Jdszyq9

Saturday, April 9, 2016

Snowden and the Panama Papers: A Comparison

CYBR650 Week 4

“There are pockets of wealth in this country. Mostly those pockets are in the politicians’ pants.” 
 Jarod Kintz, How to construct a coffin with six karate chops

I remember when I first heard about Edward Snowden’s leak of thousands of classified documents.  I remember distinctly feeling that what he had done was illegal and immoral and traitorous.  Last week when the Panama Papers were leaked I felt that something good had been done.   I immediately wondered what was fundamentally different about these two incidents.  On the surface, they’re very similar. There are also some important differences.  Is Snowden justified in what he did?  Is it morally any different than the reporters who disclosed the Panama papers?

Both were very large collections of documents that were never intended to be available to the public.  Both implicated political figures and government leaders for behavior that is generally considered inappropriate and unacceptable.  Both caused great political turmoil and both were major security incidents, at least for those whose documents were revealed. 
But there are some distinct differences as well.  Snowden was sworn to secrecy by the government whose documents he leaked.  The reporters who disclosed the Panama Papers didn’t break any laws as far as we know.  Snowden is considered by many a traitor, the reporters will probably get an award for great journalism.  Snowden revealed what he and many others felt were illegal and invasive practices by government agencies.  The Panama Papers may not show any illegal actions, only questionable behavior by politicians, not government agencies.

Purely from a security standpoint, Snowden broke the law.  He held a position of trust with a top secret security clearance.  He signed a non-disclosure agreement that basically says he wouldn’t reveal the secrets he learned while performing his duties.  Some have said took an oath “to protect and defend the constitution against all enemies foreign and domestic.”  Apparently, only military members and the president take that oath.  But even if he had taken the oath, many would argue he did not violate it as he felt the agencies were overstepping their authority.  Snowden feels he did what was morally correct, a higher standard of loyalty to the Constitution than to the law.

There’s no doubt in my mind the politicians implicated by the Panama Papers are dodging taxes and doing so legally, but in violation of the trust of the citizens they represent – at least those leaders who represent democratic governments. 

I still think what Snowden did was wrong.  It violated security laws.  However, he did act very morally, he did what he thought was right.  For that I applaud him.  I have more respect for Snowden than I ever will for any politician.  Many politicians consistently operate on the edge of laws, always being careful to obey the letter of the law, but somehow always violating the intent of it.  

Either way, we always end up with the human factor being the weakest link in security.

Tuesday, April 5, 2016

Passive Authentication: The Future of Security

CYBR650 Week 3

Without change there is no innovation, creativity, or incentive for improvement. Those who initiate change will have a better opportunity to manage the change that is inevitable.
William Pollard


Security Week blogger Kevin Townsend, a guy who’s been writing about information security for 15 years, published a blog post entitled Is Passive Authentication the Future for User Authentication?  My initial reaction was to be skeptical.  The concept of being passive about security goes against everything I’ve been taught in the last few years.  I took a deep breath and decided to explore with an open mind.

Everybody hates passwords.  They are a necessary evil.  Like shaving or changing the oil in your car, something that has to be done.  Those who reject this concept in the name of convenience threaten everyone’s security by being the weakness in the security structure.  But mobile computing has changed the landscape as people have pushed for easier security.  Passwords have been exchanged for PIN codes.  Banks and others who have higher security requirements have started using 2 step verification—you log in with a password or PIN and then must also provide a code that is sent to your Smart phone.  It’s much harder to steal login information because you have to have both parts to get in. 

Everything I was able to find on passive authentication was very technical in nature like this blog post by KidoZen which has a pretty good explanation.  But if you want the less technical version, read on…

Meet Bob, a young professional sales representative who is fully connected to the digital world through his technology.  Bob’s company feels strongly about security, but knows Bob will get around security if he’s given any opportunity to do so.  Bob logs into his corporate VPN with his chip enabled smart card and password on his corporate laptop when he’s away from the office.  Bob hates having to carry the card and has lost it on several occasions.  Bob’s company is tired of replacing them at $20 each.

Bob’s company decides to replace the smart card with a one-time-password application.  OTP apps work on a smart phone or other mobile device.  Bob had to set it up at work so the network trusts his phone and syncs the OTP which was a pain, but once it was done, all Bob has to do is open the app when he wants to login.  He provides his usual login password and the one-time password, a randomly generated number that the company and the smart phone both know.  It works great until Bob loses his cell phone. 

If Bob’s sales figures weren’t so high, they would fire him.  So they decide to try passive authentication.  When Bob logs into the VPN on his corporate laptop, the network recognizes the laptop as a trusted corporate computer.  The VPN also recognizes the network that Bob is logging in from, one of his regular customers.  Because the laptop and the location (network) are recognized, Bob only has to enter his password.  The laptop and recognized network provide the second factor.  Later, when Bob is at the airport bringing his latest sales contract back to corporate headquarters, he has to use the OPT app on his smart phone again since he’s not on a trusted network. 

Passive authentication relies on some known factor about the user or the user’s device to act as the 2nd factor.  If only one factor is required it could be the device, so Bob wouldn’t need to use his password at all.  This will most likely be used first for mobile devices like smart phones (after it’s registered to the user) when they are on known networks (networks that are deemed secure). 

I don’t know if passive security is as safe as current active security measures, but I have no doubt that the convenience will drive the change to make it more secure.  Devices and networks will be configured to work with passive security systems.  

Someday Bob’s children will ask him to explain what a password is. 

Sunday, March 27, 2016

Protecting your Environment: Threat Identification Sources

CYBR650 Week 2

I talk a lot about balance.  Security vs. access, freedom vs. privacy, cost vs. benefit.  But some things just have to be done, no balance required.

Security is about protecting information, and to do it well requires good information.  So what is a federal employee to do if they want to protect the data that has been entrusted to him or her? --The data of the millions of American citizens who depend on their government to protect them? This is a broad question that needs solid answers.  And I stress the significance of “federal employee” because I am one.  I have to work within the framework of regulations, policies and directives (and sometimes emails with strongly worded suggestions on what I should do).  Here is the list of useful information I look to for direction.  Many are Federal government specific; all but one are accessible to every American with an Internet connection.  So here they are in no particular order…

The NIST National Vulnerability Database – This is a repository of vulnerabilities that anyone can use to look for threats and vulnerabilities from very general to hardware or software specific.  NIST is a government agency charged with establishing standards for many government entities.  As of the date of this blog, there were 75,708 identified vulnerabilities.  The place to start looking is in the Vulnerability Search Engine, listed first under the NVD Primary Resources.  The title “Primary Resources” is accurate because it lists the most helpful ways to get information out of the database.

US CERT – The United States Computer Emergency Readiness Team’s National Cyber Awareness System (NCAS) provides a quick way to see current threats.  I would recommend subscribing to at least one of the choices they offer – Alerts, Bulletins and Tips, with the Current Activity link a good place to see what’s happening right now.

Security Blogs – I’m a big fan of Blogs.  They are a quick way to get relatively current information that has been compiled by a professional – if you use one of the reputable sites such as TechRepublic.  If you’re not sure, the Internet has some great suggestions like this blog from Marble Security listing the 10 Security Blogs You Should Be Reading.  Pick two or three to get a feel for what’s out there and then subscribe to the ones that are most helpful to you.

Directly Related to Your Work Environment – For me, this is the VA-NSOC –The Veterans Administration Network and Security Operations Center – While I can’t directly connect to the NSOC to show you what it’s about, it is a critical resource for me.  You should have a 24/7 resource within your organization you can call for help with urgent and critical security issues.  They are the first line of defense when you have an incident and they should be contacting you when they detect threats in your work environment so you can help them remove infected equipment or other action to deal with real-world threats to your network.

Data Breach analysis – One of the best resources you can look at when looking at what you need to defend against is a data breach analysis.  These reports tell you what has been attacked and also provides general guidelines for what you should be doing to defend against these attacks.

Education – You can do all of the above and you will be more effective at protecting your own network.  But one of the smartest moves you can make is to get a degree focused on cybersecurity.  These other resources will provide useful information and you will need to go to them often, but you also need to support it with a good general background in cybersecurity.  This will fill in the gaps in your knowledge so that you understand how the whole system works so you can better defend it.  
Security Requires Wisdom
CYBR650 Week 1




I’ve decided to change political parties this election season.  I’m pretty conservative in a lot of my viewpoints, but I’ve heard some good ideas presented by liberal politicians.  The problem is that the Republicans and Democrats are so busy trying to prevent the other side from getting their own way, they refuse to even consider reasonable discussion on practical matters.  For a while I thought the Green Party had some good ideas, but some of what they espouse was too socialist for me.  I also considered the Libertarian Party.  However, their focus on personal liberty seems a bit selfish or isolationist to me. 

So I declare my allegiance to the Centrist Party.  Centrists are traditional, but practical.  They balance individual rights with the greater good of all of society.  They hold the ideals of pragmatism over compromise.  The Centrists don’t have a candidate in the Presidential race that’s going on now, so I can’t vote for a declared Centrist, but I can choose a candidate who holds Centrist values.

So why all this talk about politics in a blog about security? 

Centrist ideals apply to the balancing act between freedom and security in politics, but they also apply to technology, the Internet and the Internet of Things.  We should embrace technology as it brings many benefits, but we have to do so with prudence and wisdom. 

The quote at the beginning of this post elegantly states that we have to use technology wisely, or we may end up destroyed by it.  We have to balance security and the freedom that technology brings.  In the ever escalating arms race of hackers vs. security practitioners, we need to balance protection with freedom.  Will there be casualties?  No doubt about it, but we have to be wise enough to build security into the Internet of Things and free enough to enjoy the benefits new technology brings.

Just as in our democracy we have to balance our personal liberties with the responsibility to our communities and fellow citizens, we can’t have perfect security and still travel around the world at will.  We can’t keep our airports and train stations completely terrorist free.  We can’t say no to all Muslims who want into our nation and we can’t throw the borders wide open.  We have to be wise in Centrist ways, not politicizing national security or Internet security, but seeking the greatest good for all.